|
| 1 | +The Identity Risk Management Agent in Microsoft Entra ID Protection provides proactive risk management capabilities by analyzing user behavior. The agent then suggests actions to mitigate potential identity risks. You can configure the settings to meet your organization's needs. By using a Large Language Model, the agent helps security administrators review and respond to risky activities before they lead to security incidents. |
| 2 | + |
| 3 | +## Prerequisites |
| 4 | + |
| 5 | +- You must have at least the Microsoft Entra ID P2 license. |
| 6 | +- You must have available security compute units (SCU). |
| 7 | +- You must have the appropriate Microsoft Entra role. |
| 8 | + - **Security Administrator** - required to activate the agent the first time and view the agent and take action on the suggestions. |
| 9 | + - **Security Reader** and **Global Reader** - view the agent and any suggestions (can't take actions). |
| 10 | + |
| 11 | +## How the agent works |
| 12 | + |
| 13 | +The agent checks for new risky identities that weren't previously identified. If new risky identities are found, it takes the following steps (no SCUs consumed): |
| 14 | + |
| 15 | +1. The agent checks for new risky users in your tenant who currently have a risk state of "At risk". |
| 16 | +2. The agent identifies risky users that are within your defined scope settings. |
| 17 | + |
| 18 | +If the agent finds new suggestions, it takes the following steps (SCUs consumed): |
| 19 | + |
| 20 | +| Step | Agent activity | |
| 21 | +| :--- | :----- | |
| 22 | +| Investigate the risky user | The agent checks the user's risky sign-ins and risk detections to analyze what's risky about this user. | |
| 23 | +| Generate findings and a risk summary | The agent generates findings based on the investigation, which includes a thorough risk summary explaining the suggestion and defining the key risk factors. | |
| 24 | +| Generate a recommended remediation action | The agent suggests a remediation action, using the information gathered during the investigation. | |
| 25 | +| Answer questions through chat | IT administrators ask the agent questions related to the risky users and the risk summary. | |
| 26 | +| Store custom instructions in agent memory | Customers can give the agent custom instructions through agent chat, which the agent stores in its memory and applies for future runs. Currently, agent memory can store preferred remediation actions. | |
| 27 | + |
| 28 | +## Using the agent |
| 29 | + |
| 30 | +1. Sign in to the **Microsoft Entra admin center** as at least a Security Administrator. |
| 31 | +2. Browse to **ID Protection** > **Risky users**. |
| 32 | +3. Look for the banner at the top of the page. |
| 33 | +4. Select **Start agent** |
| 34 | + |
| 35 | +### Configuring agent settings |
| 36 | + |
| 37 | +With the **Risky users** page open, select the **Agent view**. Select the ellipses in the upper-right corner and then select Settings. |
| 38 | + |
| 39 | +- **Controls** - provide the roles and permissions needed to run the agent. |
| 40 | +- **Triggers** - set when and how the agent is run: |
| 41 | + - Continuous monitoring - checks for new risky users every 5 minutes |
| 42 | + - Daily trigger - agent runs once per day |
| 43 | + - Manual run - agent runs only when manually launched |
| 44 | +- **Scope** - By default, the agent investigates the most recent 100 risky users within the last 90 days. You can control the scope of for agent scan by adjusting several options. |
| 45 | + - Select users and groups option to search for and select the users and groups you want the agent to scan. |
| 46 | + - Set the maximum recent risky users to scan within 1-100. |
| 47 | + - Select which risk levels to include in the scan. All risk levels are selected by default. |
| 48 | + - Set a specific time frame for the scope: |
| 49 | + - Last 7 days |
| 50 | + - Last 14 days |
| 51 | + - Last 30 days |
| 52 | + - Custom time frame up to 90 days |
| 53 | +- **Communications** - enter a set of users to receive notifications of the agent run. |
| 54 | +- **Memory** - list of user confirmed safe items that were false positives. |
| 55 | + |
| 56 | +## Explore the agent findings report |
| 57 | + |
| 58 | +### Agent summary |
| 59 | +An agent summary appears at the top of the Agent view, showing recent agent activities. This tile provides quick access to the Chat with agent feature and a Manage agent button, which lets you trigger a one-time run or open agent settings. |
| 60 | + |
| 61 | +### Agent suggestions |
| 62 | +Agent suggestions are displayed below the agent summary. Hover over a suggestion to highlight impacted users in the table. Selecting a suggestion filters the table to show only those users for review. Each suggestion includes a bulk action button, so you can apply the action with one button. |
| 63 | + |
| 64 | +Currently, the following remediation actions are available in agent suggestions: |
| 65 | + |
| 66 | +- Dismiss risk |
| 67 | +- Reset password |
| 68 | + |
| 69 | +### Risky users table with agent suggestions |
| 70 | +The lower half of the report lists all risky users. Select a user to view agent findings, risk factors, and suggestions specific to that user. The Agent suggestion column also shows recommended remediation actions directly in the table. Select the action button to apply a remediation to individual users. |
| 71 | + |
| 72 | +### Risky user details |
| 73 | +The Risky user details page provides a new Agent view, which presents agent findings specific to a risky user. This view includes the following information: |
| 74 | + |
| 75 | +- **Basic user information**: Username, current risk level, and User Principal Name (UPN) |
| 76 | +- **Agent findings**: The agent provides a verdict of Compromised or Not compromised based on its investigation |
| 77 | +- **Risk summary**: A detailed explanation of the agent's findings, based on analysis of the user's sign-ins and behaviors |
| 78 | +- **Risk factors**: Key risk indicators summarized for easy review |
| 79 | +- **Suggested remediation action**: A call-to-action button that allows you to quickly start remediating the risk |
0 commit comments